Seccomp is a mechanism to restrict the actions available within the container by restricting system calls that a process could make. The seccomp profile of a container is set within its
securityContext, and can be set at pod level or at container level.
Running containers/Pods with the seccomp profile
unconfined means one less isolation layer to protect your cluster. This is advised against by the security community, as it can give attackers dangerous privileges.
No container in your cluster should run unconfined, especially in production environments.
In Kubernetes versions earlier than 1.24, the default seccomp profile of containers is
unconfined, which means that all pods that do not specify a seccomp profile will be susceptible to this threat.
Targeted resources by this rule (types of
kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job
Complexity: medium (What does this mean?)
Policy as code identifier: CONTAINERS_INCORRECT_SECCOMP_PROFILE
This rule will fail
seccompProfile is not configured, or has a type other than
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent containers from having unnecessary system call privileges [1 occurrence]
💡 Incorrect value for key `seccompProfile` - set an explicit value to prevent malicious use of system calls within the container
How to fix this failure
seccompProfile type to